ISSAP – Information Systems Security Architecture Professional

So, I recently received confirmation from the ISC2 (International Information Systems Security Certification Consortium) that I passed the ISSAP exam. This is a secure architecture concentration in addition to the CISSP (Certified Information Systems Security Professional) certification.

While I believe this should be a worthwhile addition to my CISSP and of course my CV, while also helping progress my current role, I felt I should write a post about my preparation for the exam.

As with the CISSP (Certified Information Systems Security Professional) the best way to be prepared is to have a solid grounding in the subject matter – e.g. IT security and technical / solutions architecture. Indeed several years of industry experience is a prerequisite for obtaining these certifications.

Also as with the CISSP I chose to cover off the bulk of the revision by using the ISC2 recommended course text. With the CISSP I used the well regarded Shon Harris ‘CISSP all in one guide’ that was well written and very comprehensive.

For the ISSAP I used the ISC2 Official study guide to the CISSP-ISSAP. Currently this is the only book specifically for the ISSAP exam that claims to cover all aspects of the exam. Personally I found this book to be very badly written and hard to read. The first chapter must have used the phrase ‘Confidentiality Integrity Availability’ in almost every sentence, yes we all know that CIA is important and what we are aiming for but there is no need to repeat it so often.

Other sections of the book only skimmed over areas that were quite heavily covered in the exam.

In short if you did not already have a very solid grounding and experience in the areas covered by the exam, this official guide would not be anywhere near enough to pass the exam. Obviously the ISC2 may argue that you are supposed to have industry experience, but this does not necessarily include all the areas covered in the exam such as specific components of the common body of knowledge or other specific standards.

If you are a CISSP involved in designing secure architectures then this certainly seems like a worthwhile certification to go for. I would advise doing some supplementary reading covering the Common Body of Knowledge and something like ‘Enterprise Security Architecture’ along with of course a solid background in both security and architecture.

As an aside I am a firm believer that study and / or involvement in IT related work such as creating white papers, contributing to open source etc. is a great way to not only improve your skills and knowledge, but also essential to show current and future employers that you are genuinely passionate about what you do rather than it just being a job.

Hi, I am planning on taking the ISSAP exam. I have been relying heavily on the Official Guide and do agree to your comment regarding the book skimming over the other key topics..
A question on which I would appreciate an answer – With the CISSP, there quite a few topics that a candidate was expected to memorize – is that still applicable here as well? Understand that the objective of the exam is to test one’s Design & Architecture concepts, but I would be quite surprised if it wouldn’t touch the low lying principles…

If you have a CISSP and some security architecture experience, use the book to fill the gaps in areas you don’t usually work in and you should be fine.
This was certainly no more difficult than the CISSP, although this may be helped by my background.
cheers
K

Hi, Kevin
can you advise me on the book list for ISSAP study, besides the official (ISC)2 CBK. I felt (ISC)2 official CBK is OK for exam, but it is not enough for a job. For example, some chapters in the in the CBK for CISSP, like Software Development Security, are out-of-date and not detail enough. So I am looking for some books can help me to build my knowledge for a better architect.